> 5) If a voting member casts a REVIEWING vote, then the Editor may
> delay an Interim or Final Decision for at least 2 weeks after the
> vote was cast. After the 2 week time period, the Editor may extend
> the delay, or disregard the REVIEWING vote and move the candidate
> to Interim Decision.
Fine, as long as there is a REVIEWING WITHOUT DELAY voting option that
indicates to everyone that the issue is being reviewed by the voting
member, but should not be delayed in the approvai process.
> 7) If a voting member votes on a candidate for a security problem
> found in a product owned by a competing organization, then that
> member's vote cannot be counted towards the Quorum, unless the
> competing organization has publicly acknowledged the problem.
Does this include the inferred vote that occurs when a competing
organization casts a MODIFY vote? Also, how is a competing organization
defined? Is it compartmentalized by vendors, academic, and government, or
perhaps IDS, VA, and other security products? (For that matter, are voting
members in the academic and governmental communities perceived as
competitors? :-) )
On a similar issue, would a MODIFY followed by a reference citation into
a voting member's database constitute a public acknowledgement of the
problem? I think I know the answer to this question, but I would like to see
it articulated for the record.
> Guidance
> --------
[...]
> 3) A voting member should vote on candidates according to approved
> content decisions, instead of their own personal preferences.
> Informally, a voting member should not REJECT a candidate if all of
> the following apply:
> - the candidate is not a duplicate of other candidates/entries
> - it satisfies all approved content decisions (CD's)
> - it satisfies CVE's vulnerability/exposure definition
Would it be appropriate to add a "no supporting documentation" clause to
this list? Although recent entries do not (usually) have this problem, some
older CANs have no references. It's not good form to prevent a voting member
from casting a REJECT just because CVE claims that an issue exists without
external support.
> 4) A voting member should not vote for a candidate that is related to
> a security problem in a competitor's product, unless the competitor
> has acknowledged that the problem exists.
Again, would a MODIFY followed by a reference citation suffice as
acknowledgement? Personally, I'm in it for the security, and I'll leave the
cutthroats in Marketing. :->
Thanks for getting these content decisions rolling.
Andre Frech
afrech@iss.net
Internet Security Systems
(678)443-6241
http://www.iss.net